From b54014ac76f579d85c718d1ac1b2d8ed35d8a582 Mon Sep 17 00:00:00 2001 From: James Pattinson Date: Sun, 12 Oct 2025 18:52:16 +0000 Subject: [PATCH] Allow external emails to send --- postfix/Dockerfile | 4 +++- postfix/entrypoint.sh | 6 +++++- postfix/main.cf.template | 14 ++++++++++++++ postfix/sender_access | 10 ++++++++++ 4 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 postfix/sender_access diff --git a/postfix/Dockerfile b/postfix/Dockerfile index d6a40a5..7b4be21 100644 --- a/postfix/Dockerfile +++ b/postfix/Dockerfile @@ -13,11 +13,13 @@ RUN apt-get update && \ COPY main.cf.template /etc/postfix/main.cf.template COPY sasl_passwd.template /etc/postfix/sasl_passwd.template COPY virtual_aliases.cf /etc/postfix/virtual_aliases.cf +COPY sender_access /etc/postfix/sender_access COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh -# Generate Postfix maps for virtual aliases +# Generate Postfix maps for virtual aliases and sender access RUN postmap /etc/postfix/virtual_aliases.cf +RUN postmap /etc/postfix/sender_access # Expose SMTP EXPOSE 25 diff --git a/postfix/entrypoint.sh b/postfix/entrypoint.sh index 800b4a5..35299d8 100644 --- a/postfix/entrypoint.sh +++ b/postfix/entrypoint.sh @@ -7,9 +7,13 @@ envsubst < /etc/postfix/main.cf.template > /etc/postfix/main.cf # Generate SASL password file from environment variables envsubst < /etc/postfix/sasl_passwd.template > /etc/postfix/sasl_passwd -# Generate Postfix hash +# Generate Postfix hash databases postmap /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db +# Regenerate sender_access database (in case of updates) +postmap /etc/postfix/sender_access +chmod 644 /etc/postfix/sender_access /etc/postfix/sender_access.db + # Start Postfix in foreground exec postfix start-fg diff --git a/postfix/main.cf.template b/postfix/main.cf.template index d4aa29a..8630a4d 100644 --- a/postfix/main.cf.template +++ b/postfix/main.cf.template @@ -3,6 +3,9 @@ myhostname = lists.sasalliance.org myorigin = sasalliance.org mydestination = $myhostname, localhost.$mydomain, localhost +# Virtual alias domains - domains we handle via virtual_alias_maps +virtual_alias_domains = lists.sasalliance.org + # Relay through SES relayhost = [${SMTP_HOST}]:${SMTP_PORT} smtp_tls_security_level = encrypt @@ -16,6 +19,17 @@ smtp_sasl_security_options = noanonymous # Virtual aliases (static for now) virtual_alias_maps = hash:/etc/postfix/virtual_aliases.cf +# Sender restrictions - enforce whitelist +smtpd_sender_restrictions = + permit_mynetworks, + check_sender_access hash:/etc/postfix/sender_access, + reject + +# Recipient restrictions - accept mail for our domains +smtpd_recipient_restrictions = + permit_mynetworks, + reject_unauth_destination + # Other recommended settings alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases diff --git a/postfix/sender_access b/postfix/sender_access new file mode 100644 index 0000000..7c555a4 --- /dev/null +++ b/postfix/sender_access @@ -0,0 +1,10 @@ +# Sender access control for mailing lists +# Format: sender_address ACTION +# Actions: OK (allow), REJECT (block with message), DISCARD (silently drop) + +# Allow all board members from sasalliance.org domain +sasalliance.org OK + +# Add other authorized senders as needed +# user@external.com OK +# anotherdomain.com OK